Commit Graph

23035 Commits (59940feacc033b55aaa25b39121f537de77a7361)

Author SHA1 Message Date
loftwing 7db506887b Add exploit code 2017-09-13 10:36:36 -05:00
loftwing eb0d174987 Add disk_pulse_enterprise_get module 2017-09-13 10:19:24 -05:00
William Webb a07f7c9f42
Land #8520, Linux post module to find and collect TOR hidden service configurations 2017-09-12 13:39:18 -05:00
Erik Lenoir 27a517e0f6 Fix #8060, cf #8061 2017-09-12 18:41:51 +02:00
Brent Cook a7a17c677c fix internal usage of bindata objects when generating NTP messages 2017-09-12 09:54:09 -04:00
Anant Shrivastava 86726978ed
payload size updated 2017-09-12 19:23:31 +05:30
Craig Smith e4465c9350 Fixed a bug where flowcontrol caused the first packet to get lost 2017-09-11 19:00:53 -07:00
Craig Smith b218cc3c7f Merge branch 'master' into hw_auto_padding_fix 2017-09-11 18:30:34 -07:00
Craig Smith ad9329993d Added better padding and flowcontrol support. 2017-09-11 18:20:57 -07:00
Pearce Barry 7b87915e1f
Land #8923, Add additional error checking to mssql_clr_payload module 2017-09-11 17:39:33 -05:00
Jeffrey Martin a58552daad
Land #8825, Handle missing util.pump in nodejs shell payloads 2017-09-11 15:32:21 -05:00
Tod Beardsley 5f66b7eb1a
Land #8940, @h00die's second round of desc fixes
One ninja edit along the way as well.
2017-09-11 13:05:13 -05:00
Tod Beardsley cfbd3c1615
Fix spelling of Honeywell 2017-09-11 13:02:18 -05:00
james ba880d1a85 Changes to mssql_clr_payload error handling based on code review 2017-09-10 14:15:39 -05:00
Patrick Thomas 2966fb7c8c Accept @shawizard suggestion for formatting msg_body 2017-09-10 11:23:52 -07:00
james 861f4a6201 Changes to buildmaster_login from code review
Use peer property in messages instead of rhost rport combination for consistency.
Documentation updated accordingly.
2017-09-09 18:00:04 -05:00
james 47adfb9956 Fixes from code review to buildmaster_login
Per bcoles, the most important fixes are:
- Removing `self.class` from call to `register_options`
- Adding rescue to login_succeeded to handle bad json
2017-09-09 16:26:01 -05:00
h00die 7339658ba9 224 pages of spelling issues left 2017-09-09 09:52:08 -04:00
h00die 6289cc0b70 Merge branch 'spellin' of https://github.com/h00die/metasploit-framework into spellin 2017-09-08 22:20:39 -04:00
h00die 0910c482a9 35 pages of spelling done 2017-09-08 22:19:55 -04:00
Brent Cook 8f864c27e3
Land #8924, Add Apache Struts 2 REST Plugin XStream RCE 2017-09-08 13:59:52 -05:00
Brent Cook 54a62976f8 update versions and add quick module docs 2017-09-08 13:59:29 -05:00
William Vu 978fdb07b0 Comment out PSH target and explain why
I hope we can fix the PSH target in the future, but the Windows dropper
works today, and you can specify a custom EXE if you really want.
2017-09-08 13:41:06 -05:00
dmohanty-r7 c91ef1f092
Land #8768, Add Docker Daemon TCP exploit module 2017-09-08 12:50:00 -05:00
Pearce Barry 2ebf53b647
Minor tweaks... 2017-09-08 10:04:47 -05:00
h00die 00c593e0a2 55 pages of spelling done 2017-09-07 21:18:50 -04:00
William Vu a9a307540f Assign cmd to entire case and use encode for XML
Hat tip @acammack-r7. Forgot about that first syntax!
2017-09-07 19:36:08 -05:00
William Vu 8f1e353b6e Add Apache Struts 2 REST Plugin XStream RCE 2017-09-07 19:30:48 -05:00
Brent Cook a0181a4d54
Land #8831, Add Maven post-exploitation credential extraction module
Merge remote-tracking branch 'upstream/pr/8831' into upstream-master
2017-09-08 00:37:03 +02:00
James Barnett 7e9d0b3e9b
Fix permissions in docker priv_esc module
The previous command didn't give the original user enough permissions
to execute the payload. This was resulting in permission denied
and preventing me from getting a root shell.

Fixes #8937
2017-09-07 16:48:02 -05:00
Brent Cook c67e407c9c
Land #8880, added Cisco Smart Install (SMI) scanner 2017-09-07 08:06:03 -05:00
g0tmi1k accb77d268 Add PSH (Binary) as a target to web_delivery 2017-09-07 10:55:29 +01:00
Brent Cook 9877a61eff bump payloads 2017-09-07 01:36:25 -05:00
OJ 816e78b6f6 First pass of named pipe code for pivots 2017-09-07 01:33:53 -05:00
Patrick Thomas 5d009c8d0b remove dead code 2017-09-06 23:21:56 -07:00
Patrick Thomas 048316864c remove redundant return 2017-09-06 23:01:13 -07:00
Patrick Thomas 97d08e0da4 fix reviewer comments 2017-09-06 22:53:02 -07:00
Patrick Thomas d71f7876b8 initial commit of nodejs debugger eval exploit 2017-09-06 22:29:24 -07:00
g0tmi1k 96f7012fe7 Code clean up (URLs, ordering and printing) 2017-09-06 13:17:28 +01:00
g0tmi1k b884705a93 regsvr32_applocker_bypass_server -> web_delivery 2017-09-06 12:35:52 +01:00
g0tmi1k e7b4cb71b1 Add PSH-Proxy to multi/script/web_delivery 2017-09-06 12:27:04 +01:00
h00die be66ed8af3
Land #8788 exploits for Gh0st and PlugX malware controllers 2017-09-05 20:42:07 -04:00
james 44fb059cea Add error checking to mssql_clr_payload
Additional error checking had been added to exploits/windows/mssql/mssql_clr_payload
If an error is encountered when changing the trustworthy or clr setting, the exploit fails with a message.
2017-09-05 18:48:22 -05:00
Adam Cammack b0dc44fb86
Land #8909, Avoid saving some invalid creds 2017-09-05 12:43:03 -05:00
h00die d05c401866 modules cleanup and add docs 2017-09-04 20:57:23 -04:00
Pearce Barry 6051a1a1c1
Land #8910, Use meta redirect instead of JS redirect in 2 modules 2017-09-01 13:50:02 -05:00
Tod Beardsley 86db2a5771
Land #8888 from @h00die, with two extra fixes
Fixes spelling and grammar in a bunch of modules. More to come!
2017-08-31 14:37:02 -05:00
Tod Beardsley 8a045e65aa Spaces between commas 2017-08-31 14:29:23 -05:00
Tod Beardsley 642a13e820 Out out damn tick 2017-08-31 14:29:05 -05:00
Tim 86ee77ffb0 add aarch64 nops and fix aarch64 cmdstager 2017-08-31 18:48:58 +08:00
Adam Cammack 195c1e041f Update payload specs and sizes
Adds the new Aarch64 and R payloads

fix merge
2017-08-31 18:48:56 +08:00
Tim 7b71f60ea1 fix the stack 2017-08-31 18:35:18 +08:00
Tim 26f4fa3b09 setup stack 2017-08-31 18:35:17 +08:00
Tim a2396991f0 stager not setting up stack 2017-08-31 18:35:17 +08:00
Tim 6dbe00158f fix stager 2017-08-31 18:35:17 +08:00
james 49173818fd Addresses #8674
This type of redirection will work without javascript being enabled.

Modules:
multi/browser/firefox_xpi_bootstrapped_addon
multi/browser/itms_overflow

More info on the meta element:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
2017-08-30 23:16:46 -05:00
Pearce Barry 2bbba9c500
Avoid some ActiveRecord validation errors.
Per discussion with @bcoles in [PR 8759](https://github.com/rapid7/metasploit-framework/pull/8759#issuecomment-325028479), setting a login data's last_attempted_at value while also setting the status to UNTRIED will cause a validation error when there's a running+connected MSF DB.

This PR removes the handful of existing cases we're doing this (thx, @bcoles!).
2017-08-30 15:31:36 -05:00
Jon Hart eec5d2ada9
Update description and add link to SIET 2017-08-30 11:52:11 -07:00
Calum Hutton 3b745bd17c Rework the bash, redirect stdout/err to /dev/null
Dont need the -
2017-08-30 03:49:30 +01:00
Calum Hutton 9387a765e5 Fix msftidy warns/errs 2017-08-30 03:10:46 +01:00
Calum Hutton 4934023fa5 Use alternate system() payload, dont worry about restarts
Use nohup and & to background the meterpreter process
2017-08-30 03:10:46 +01:00
Calum Hutton d53f10554d Configurable restart command 2017-08-30 03:10:46 +01:00
Calum Hutton d0ff2694b3 Restart after payload process ends 2017-08-30 03:10:46 +01:00
Calum Hutton aee44e3bd2 Working meterpreter exploit
No service restart
2017-08-30 03:10:46 +01:00
Calum Hutton 7cfb5fcc97 Rename 2017-08-30 03:10:46 +01:00
Calum Hutton 8b67b710fa Add template 2017-08-30 03:10:46 +01:00
Brent Cook 202c936868
Land #8826, git submodule remote command execution 2017-08-29 18:11:32 -05:00
Brent Cook 46eeb1bee0 update style 2017-08-29 17:44:39 -05:00
Pearce Barry d5124fdc94
Land #8759, Add TeamTalk Gather Credentials auxiliary module 2017-08-29 13:17:28 -05:00
Tim 39299c0fb8 randomize submodule path 2017-08-29 16:54:08 +08:00
Brendan Coles c9e32fbb18 Remove last_attempted_at 2017-08-29 05:05:04 +00:00
h00die a40429158f 40% done 2017-08-28 20:17:58 -04:00
Brent Cook 1e8edb377f
Land #8873, cleanup enable_rdp, add error handling 2017-08-28 05:50:42 -05:00
Brent Cook 582b2e238e update mettle payload to 0.2.2, add background and single-thread http comms 2017-08-28 05:31:44 -05:00
Brent Cook 15ec40f5c6 update R cached sizes 2017-08-28 05:31:42 -05:00
h00die bd7ea1f90d more updates, 465 more pages to go 2017-08-26 21:01:10 -04:00
james 7dfde651ea Add login scanner module for Inedo BuildMaster
This module attempts to log into BuildMaster. BuildMaster is an application release automation tool.

More information about BuildMaster:
http://inedo.com/
2017-08-26 17:56:53 -05:00
Erik Lenoir a8067070f2 Fix typo 2017-08-26 17:52:11 +02:00
William Vu 924c3de9f3
Land #7382, BIND TSIG DoS 2017-08-26 10:42:35 -05:00
William Vu f9a2c3406f Clean up module 2017-08-26 10:41:10 -05:00
h00die 3420633f29 @NickTyrer corrected my correction 2017-08-26 08:43:10 -04:00
Erik Lenoir 801e3e2d68 Replace REXML with Nokogiri and try to cross id with mirror/repository tag 2017-08-25 18:28:09 +02:00
Jon P abaf80f3df
jmartin improvements (iter on keys + save as credentials) 2017-08-25 18:15:24 +02:00
h00die 32a4436ecd first round of spelling/grammar fixes 2017-08-24 21:38:44 -04:00
n00py 8f17d536a7 Update phpmailer_arg_injection.rb
Removed second parameter as it was not necessary.  Only changed needed was to change "send_request_cgi" to "send_request_cgi!"
2017-08-24 00:29:28 -06:00
n00py c49b72a470 Follow 301 re-direct
I found that in some cases, the trigger URL cannot be accessed directly.  For example, if the uploaded file was example.php, browsing to "example.php" would hit a 301 re-direct to "/example".  It isn't until hitting "/example" that the php is executed.  This small change will just allow the trigger to follow one 301 redirect.
2017-08-23 18:53:54 -06:00
Brent Cook 821121d40b
Land #8871, improve compatibility and speed of JDWP exploit 2017-08-23 18:53:47 -05:00
Jeffrey Martin cba4d36df2
provide missing bits for R platform 2017-08-23 16:58:48 -05:00
William Vu 4c285c0129
Land #8827, QNAP Transcode Server RCE 2017-08-22 23:07:01 -05:00
Jon Hart 7b18c17445
Appease rubocop 2017-08-22 14:53:21 -07:00
Brent Cook 128949217e more osx 2017-08-22 16:48:09 -05:00
Jon Hart 2969da3d70
Merge branch 'upstream-master' into feature/cisco-smi-scanner 2017-08-22 14:39:44 -07:00
Brent Cook bb120962aa more osx support 2017-08-22 14:01:48 -05:00
Brent Cook 7263c7a66e add 64-bit, osx support 2017-08-22 13:51:28 -05:00
Erik Lenoir be2739d335 Transform loots into creds 2017-08-22 11:57:51 +02:00
Brent Cook 33f2ebc2aa code cleanup 2017-08-21 22:46:30 -05:00
Brent Cook 58e332cc7c only fail if the group sids fail to resolve and we actually have to add a user 2017-08-21 22:36:40 -05:00
Louis Sato e01caac9ed
removing slice operators from jdwp_debugger 2017-08-21 16:36:54 -05:00
Brent Cook 031f48725f
add missing quotes 2017-08-21 16:16:03 -05:00
Brent Cook edbe8d73c2
Revert "Revert passive stance for multi/handler"
This reverts commit 66a4ea4f0b.
2017-08-21 16:14:23 -05:00
Brent Cook c14daf3fcc
Land #8857, Reverse and bind shells in R 2017-08-21 15:49:24 -05:00
Brent Cook 605330faf6
Land #8842, add linux/aarch64/shell_reverse_tcp 2017-08-21 15:44:28 -05:00
Brent Cook 430251b8f6
fix compatibility with php meterpreter 2017-08-21 15:37:31 -05:00
RageLtMan 2873a899db Address msftidy complaint 2017-08-21 03:39:03 -04:00
Tim d6d6c67f33 add stage_shell.s and cleanup 2017-08-21 14:42:30 +08:00
Tim e1a7494724 linux payloads should default to /bin/sh 2017-08-21 12:25:27 +08:00
Tim 9768a89bcd aarch64 staged shell 2017-08-21 11:14:42 +08:00
RageLtMan 7ab097a784 Unix cmd versions of R payloads
Use R to connect back from a unix shell.

Notes:
  We need to DRY this up - tons of copy pasta here, when we should
  really be instantiating the language specific payloads and just
  wrapping them with CLI execution strings.

Testing:
  None, yet, just did the quick port to wrap this and push to CI
  now that rex-arch #4 is in.
2017-08-20 21:25:57 -04:00
Brent Cook f961495860
Land #8625, Remove OpenSSL from Windows Meterp, packet header changes, and TLV packet encryption 2017-08-20 19:13:51 -05:00
Brent Cook b864083cbd
update payload sizes 2017-08-20 19:03:53 -05:00
Brent Cook eabe4001c2
Land #8492, Add IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module 2017-08-20 18:48:22 -05:00
Brent Cook cbd7790e95
Land #8751, Add Asterisk Gather Credentials auxiliary module 2017-08-20 18:34:27 -05:00
Brent Cook 07ee33578d
Land 8804, tidy up mdaemon credential extraction module 2017-08-20 18:26:56 -05:00
Brent Cook 85df247c84 DRY up module, fix remaining style violations 2017-08-20 18:24:41 -05:00
Brent Cook 367c760927
window move is now directly in the template 2017-08-20 17:48:59 -05:00
Brent Cook e734a7923a
Land #8267, Handle multiple entries in PSModulePath 2017-08-20 17:44:30 -05:00
Brent Cook 1225555125
remove unnecessary require 2017-08-20 17:37:42 -05:00
Brent Cook 840c0d5f56
Land #7808, add exploit for VMware VDP with known ssh private key (CVE-2016-7456) 2017-08-20 17:36:45 -05:00
Brent Cook 88f39d924b
Land #8816, added Jenkins v2 cookie support 2017-08-20 14:58:38 -05:00
Brent Cook f7dc831e9a
Land #8799, Add module to detect Docker, LXC, and systemd-nspawn containers 2017-08-20 14:45:57 -05:00
Brent Cook aa797588e8
Land #8847, Look for sp_execute_external_script in mssql_enum 2017-08-20 14:32:35 -05:00
Brent Cook 2eba188166
Land #8789, Add COM class ID hijack method for bypassing UAC 2017-08-20 13:57:17 -05:00
Brent Cook e8ab518d76
Land #8853, Revert passive stance for multi/handler 2017-08-19 22:04:26 -05:00
RageLtMan d76616e8e8 Reverse and bind shells in R
Initial implementation of bind and reverse TCP shells in R.
Supports IPv4 and 6, provides stateless sessions which wont change
the cwd when cd is invoked since each command invocation actually
spawns a pipe to execute that specific line's invocation.

R injections are common in academic software written in a hurry by
students or lab administrators. The language runtimes are also
commonly found adjacent to valuable data, and often used by teams
which are not directly responsible for information security.

Testing:
  Local testing with netcat bind and rev handlers.

TODO:
  Add the appropriate platform/language library definitions
2017-08-19 06:12:05 -04:00
William Webb 6ecdb8f2cc
Land #8852, convert quest_pmmasterd_bof to cmd_interact/find 2017-08-18 13:20:17 -05:00
William Vu 66a4ea4f0b Revert passive stance for multi/handler
It's gotten to be a bit annoying. ExitOnSession=false was good, but this
was too much. Typing run -j isn't difficult.
2017-08-18 13:16:12 -05:00
Erik Lenoir cde319a5ec Optim module and add doc 2017-08-18 19:30:41 +02:00
Erik Lenoir b529c3551c Remove unused variable 2017-08-18 19:00:32 +02:00
h00die dc358dd087 unknow to unknown 2017-08-18 11:33:48 -04:00
William Vu d659cdc8f6 Convert quest_pmmasterd_bof to cmd_interact/find 2017-08-18 00:19:09 -05:00
Brent Cook ea5370486f minor unused variable fixes 2017-08-17 16:46:51 -04:00
Brent Cook 9c196041ce update youtube urls in post exploit module 2017-08-17 16:44:35 -04:00
Tim 8b4ccc66c7 add linux/aarch64/shell_reverse_tcp 2017-08-17 18:55:37 +08:00
james e642789674 Look for sp_execute_external_script in mssql_enum
sp_execute_external_script can be used to execute code in MSSQL.
MSSQL 2016+ can be configured to execute R code. MSSQL 2017 can
be configured to execute Python code.

Documentation:
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql
https://docs.microsoft.com/en-us/sql/advanced-analytics/tutorials/rtsql-using-r-code-in-transact-sql-quickstart

Interesting uses of sp_execute_external_script:
R - https://pastebin.com/zBDnzELT
Python - https://gist.github.com/james-otten/63389189ee73376268c5eb676946ada5
2017-08-16 21:40:03 -05:00
Richard Claus f07318c976 Fix post/linux/gather/hashdump NoMethodError 2017-08-16 00:56:32 -07:00
Brent Cook 70a82b5c67
Land #8834, add resiliency to x64 linux reverse_tcp stagers 2017-08-15 08:04:32 -04:00
Brent Cook df98c2a3dd update cached sizes again 2017-08-15 08:02:51 -04:00
Brent Cook debbc31142 use separate module names for x86 and x64 generators 2017-08-15 08:02:01 -04:00
tkmru 4dbf94556e update CacheSize 2017-08-15 12:54:30 +09:00
Brendan Coles ac976eee8e Add author 2017-08-15 03:27:40 +00:00
Brent Cook e3265c4b1b
Land #8697, fix oracle_hashdump and jtr_oracle_fast modules 2017-08-14 17:36:18 -04:00
Brent Cook 69c4ae99a7
Land #8811, fix peer printing with bruteforce modules 2017-08-14 17:31:48 -04:00
Erik Lenoir b4055a8071 Rename command 2017-08-14 23:26:18 +02:00
Erik Lenoir 55db70ec3e Handle case when locate is not here by using enum_directories_map 2017-08-14 23:25:01 +02:00
William Vu 1a4db844c0 Refactor build_brute_message for legacy printing 2017-08-14 11:17:34 -05:00
Brent Cook b8f56d14e0
Land #8698, Add HEADERS to php_eval module 2017-08-14 09:54:22 -04:00
Erik Lenoir 27822c2ccf Add Maven creds module 2017-08-14 14:59:59 +02:00
Brent Cook 9fdf2ca1f4
Land #8830, Cleanup auxiliary/scanner/msf/msf_rpc_login 2017-08-14 02:47:08 -04:00
Brendan Coles fa4fae3436 Cleanup auxiliary/scanner/msf/msf_rpc_login 2017-08-14 06:34:04 +00:00
Brent Cook 59086af261
Land #8771, rewrite linux x64 stagers with Metasm 2017-08-14 02:32:29 -04:00
Brent Cook 26193216d1
Land #8686, add 'download' and simplified URI request methods to http client mixin
Updated PDF author metadata downloader to support the new methods.
2017-08-14 01:40:17 -04:00
Brent Cook 7d4561e0fd rename to download_log to avoid conflicting with the mixin 2017-08-14 01:10:37 -04:00
Brent Cook 5d05ca154a added http client 'download' method and updates to pdf author module from @bcoles 2017-08-14 01:08:53 -04:00
Brendan Coles 0a374b1a88 Add QNAP Transcode Server Command Execution exploit module 2017-08-13 09:13:56 +00:00
Patrick Thomas 25764397ba Update CachedSizes for changed nodejs payloads
Fixes test failures
2017-08-12 23:21:54 -07:00
Tim 7881a7ddc4 git submodule command exec 2017-08-13 11:47:44 +08:00
zerosum0x0 ecfe3d0235 added optional DoublePulsar check 2017-08-11 11:36:59 -06:00
Pearce Barry bb5fffebc4
Land #8796, SMBLoris Denial of Service Module. 2017-08-09 16:24:55 -05:00
Pearce Barry 901a1fdd1b
Minor tweaks. 2017-08-09 15:44:32 -05:00
Jon Hart 1b6acd768e
Land #8817, fixing @jhart-r7's ruby 2.2 blunder 2017-08-09 13:19:20 -07:00
Christian Mehlmauer 1b6b29c22b
fix error with rdp scanníng 2017-08-09 21:32:15 +02:00
thesubtlety 7e860571ae fix bug where api_token auth was being used without token being set 2017-08-09 12:30:26 -04:00
thesubtlety 9bb102d72d add jenkins v2 cookie support 2017-08-09 12:29:31 -04:00
bwatters-r7 dd79aa3afb
Land #8627, Add post module multi/gather/jenkins 2017-08-09 10:43:21 -05:00
Brent Cook 0ac19087cd
Land #8720, add resiliency (retries + sleep) to linux x86 stagers 2017-08-08 19:36:47 -05:00
William Vu 3396afb41a Add IP and port (peer) to print_brute messages 2017-08-08 15:46:40 -05:00
William Vu 39e59805f9 Fix annoying print_brute messages in ssh_login 2017-08-08 15:15:23 -05:00
David Maloney 67e86da50b
make SMBLoris run continuously as requested
as per ZeroSum's request the module now runs
continuously, refreshing the connections on every pass
until manually killed
2017-08-08 10:16:16 -05:00
Agora Security 2fab8f5d2a Fix Spaces at EOL 2017-08-07 16:39:16 -04:00
Agora Security 663824de85 Fix indentation, fix how locations adds values and remove unnecesary code 2017-08-07 13:16:27 -04:00
Pearce Barry cfd377fbd4 Support padding on the CAN bus.
Also use a hash for passing options around instead of individual params.
2017-08-06 18:05:59 -05:00
james b8d794cc37 Identify systemd-nspawn containers in checkcontainer
Check the value of the "container" environment variable:
 - "lxc" indicates a LXC container
 - "systemd-nspawn" indicates a systemd nspawn container
2017-08-06 00:46:09 -05:00
james 9858147dae Add module to detect Docker and LXC containers
Detect Docker by:
 - Presence of .dockerenv file.
 - Finding "docker" in /proc/1/cgroup
Detect LXC by:
 - Finding "lxc" in /proc/1/cgroup
2017-08-05 18:59:36 -05:00
Martin Pizala 2383afd8dc
Fix improved error handling 2017-08-04 23:42:44 +02:00
David Maloney 289f03241b
add module documentation
add module docs for the new smbloris DoS
2017-08-04 16:10:44 -05:00
David Maloney 15cc2a9dc0
removedthreading stuff, tried keepalives
still seem to be topping out at
about 1.3GB allocated
2017-08-04 15:28:01 -05:00
Brent Cook 7ce813ae6e
Land #8767, Add exploit module for CVE-2017-8464
LNK Code Execution Vulnerability
2017-08-03 17:10:16 -05:00
Brent Cook da3ca9eb90 update some documentation 2017-08-03 17:09:44 -05:00
David Maloney e73ffe648e
tried adding supervisor model to smbloris
tried to overcome issues with slowdown
around the 4500 connection mark by using the
supervisor pattern to terminate the threads on
the backend. this seems to get us further, but we still
hit a slowdown and the allocations die out before
we hit any serious usage
2017-08-03 14:19:35 -05:00
David Maloney c9da2d56b9
first pass at SMBLoris DoS module
the first pass on the DoS module for SMBLoris
running into issues with it topping out around 600MB
2017-08-03 11:32:57 -05:00
Brent Cook ddd841c0a8 code style cleanup + add automatic targeting based on payload 2017-08-03 00:27:54 -05:00
Brent Cook b62429f6fa handle drive letters specified like E: nicely 2017-08-03 00:27:22 -05:00
Yorick Koster 46ec04dd15 Removed This PC ItemID & increased timeout in WaitForSingleObject
Remove the This PC ItemID to bypass (some) AV.

Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
2017-08-02 15:47:22 -05:00
Yorick Koster e51e1d9638 Added new DLL templates to prevent crashing of Explorer 2017-08-02 15:47:21 -05:00
Yorick Koster 3229320ba9 Code review feedback from @nixawk 2017-08-02 15:46:51 -05:00
Yorick Koster 565a3355be CVE-2017-8464 LNK Remote Code Execution Vulnerability
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL.

This vulnerability is a variant of MS15-020 (CVE-2015-0096). The
created LNK file is similar except in an additional
SpecialFolderDataBlock is included. The folder ID set in this
SpecialFolderDataBlock is set to the Control Panel. This is enought to
bypass the CPL whitelist. This bypass can be used to trick Windows into
loading an arbitrary DLL file.
2017-08-02 15:46:30 -05:00
Martin Pizala b78cb12546
Ruby 2.2 support. See #8792 2017-08-02 18:06:48 +02:00
Jon P adbeab81da
Avoid exceptions 2017-08-02 15:03:36 +02:00
Brent Cook 6f97e45b35 enable Ruby 2.2 compat checks in Rubocop, correct multi/handler compat 2017-08-02 06:18:02 -05:00
OJ 54ded4300e
Land #8791 - Update Accuvant refs to point to Optiv 2017-08-02 13:26:52 +10:00
TC Johnson 8989d6dff2
Modified Accuvant bog posts to the new Optive urls 2017-08-02 13:25:17 +10:00
Brent Cook bb2304a2d1
Land #8769, improve style, compatibility, for ssh modules 2017-08-01 21:43:32 -05:00
Brent Cook 1d75a30936 update style for other ssh exploits 2017-08-01 16:05:25 -05:00
Brent Cook 8c9fb1d529 remove unneeded netssh checks in modules 2017-08-01 14:46:10 -05:00
Brent Cook 4395f194b1 fixup style warnings in f5 bigip privkey exploit 2017-08-01 14:45:05 -05:00
Brent Cook e61cccda0b
Land #8779, Adding error handler for ms17-010 exploit where SMBv1 is disabled 2017-08-01 14:00:12 -05:00
OJ 6ee5d83a15
Add the COM hijack method for bypassing UAC 2017-07-31 14:26:39 +10:00
Professor-plum 055d64d32b Fixed to modules as suggested from upstream
fixed typo in xtreme.rb when communicating with C&C
removed self.class from options on all three modules
added line to log path where loot has been stored in xtreme.rb
2017-07-30 10:14:05 -06:00
Martin Pizala 60c3882b84
Improved error handling 2017-07-30 09:07:52 +02:00
Professor-plum 99546330f1 Added PlugX Controller Stack Overflow Module
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.

## Verification
Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.

- [ ] use exploit/windows/misc/plugx
- [ ] set RHOST [ip of target]
- [ ] set target 1
- [ ] exploit
- [ ] acknowledge the "PeDecodePacket" message on the target

Sample output:
```
msf> use exploit/windows/misc/plugx 
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check

[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >
2017-07-29 10:36:42 -06:00
Professor-plum c336daec8d Added Gh0st Controller Buffer Overflow Module
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution 

## Verification
Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing.

- [ ] use exploit/windows/misc/gh0st
- [ ] set RHOST [ip of target]
- [ ] exploit

Sample output:
```
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 192.168.161.1:4444 
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
2017-07-29 10:21:05 -06:00
tkmru 14507747d0 update CachedSize 2017-07-29 23:42:43 +09:00
tkmru b1e26dd17e Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x86_retry 2017-07-29 17:24:59 +09:00
wchen-r7 c5021bf665 Land #8761, Add CVE-2017-7442: Nitro Pro PDF Reader JS API Code X 2017-07-28 17:02:59 -05:00
Jon P 85f48b96bb
Fix syntax 2017-07-28 10:16:59 +02:00
Martin Pizala 6a20e1ac7d
Add module Rancher Server - Docker Exploit 2017-07-28 08:04:21 +02:00
multiplex3r b2ecaa489d Rescue only RubySMB::Error::CommunicationError 2017-07-27 19:19:45 +10:00
multiplex3r f2091928ec Adding no SMBv1 error handler for ms17-010 exploit 2017-07-27 16:21:09 +10:00
Ricardo Almeida 4845b4b1fa
Orientdb 2.2.x RCE - Fix regular expression for version detection 2017-07-26 14:35:05 +01:00
Jon P 2e87a3d3f8
Multi Gather Docker Credentials Collection 2017-07-26 15:14:16 +02:00
Ricardo Almeida 30664924c8
Orientdb 2.2.x RCE - Reverted to send_request_raw due to issues exploiting windows boxes 2017-07-26 13:59:14 +01:00
tkmru eb536ba67c Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x64_retry 2017-07-26 09:48:17 +09:00
Martin Pizala 853ae9a6ce
Add new reference 2017-07-26 02:16:56 +02:00
1cph93 9c930aad6e Add space after comma in f5_bigip_known_privkey module to coincide with Ruby style guide 2017-07-25 19:43:29 -04:00
Martin Pizala cd418559bc
Docker Daemon - Unprotected TCP Socket Exploit 2017-07-26 00:21:35 +02:00
Brent Cook 354869205a make exploit/multi/handler passive
This gives exploit/multi/handler a makeover, updating to use more-or-less
standard Ruby, and removing any mystical hacks at the same time (like select
instead of sleep).

This also gives it a Passive stance, and sets ExitOnSession to be false by
default, which is the setting that people use 99% of the time anyway.
2017-07-24 15:47:06 -07:00
mr_me bf4dce19fb I added the SSD advisory 2017-07-24 14:25:10 -07:00
mr_me b099196172 deregistered SSL, added the HTA dodgy try/catch feature 2017-07-24 10:28:03 -07:00
mr_me 17b28388e9 Added the advisory, opps 2017-07-24 10:09:21 -07:00
mr_me 14ca2ed325 Added a icon loading trick by Brendan 2017-07-24 10:06:20 -07:00
mr_me b2a002adc0 Brendan is an evil genius\! 2017-07-24 09:58:23 -07:00
mr_me cc8dc002e9 Added CVE-2017-7442 2017-07-24 08:21:59 -07:00
Brendan Coles d66e8062e7 Add TeamTalk Gather Credentials auxiliary module 2017-07-24 14:24:38 +00:00
Brent Cook 6300758c46 use https for metaploit.com links 2017-07-24 06:26:21 -07:00
Brent Cook 80d18fae6a update example modules to have zero violations 2017-07-24 06:15:54 -07:00
Brent Cook 1d290d2491 resurrect one print_error/bad conversion for symmetry 2017-07-24 05:55:34 -07:00
Brent Cook 8db3f74b81 fix a broken link 2017-07-24 05:53:09 -07:00
Brent Cook 838b066abe Merge branch 'master' into land-8716 2017-07-24 05:51:44 -07:00
Ricardo Almeida 6c22f785e9
Orientdb 2.2.x RCE - Fine tune vulnerable version detection; removed redundant uri normalization checking; Swapped send_request_raw for send_request_cgi; using vars_get; 2017-07-24 09:52:47 +01:00
Brent Cook 8444038c62
Add eval alternative to PHP Meterpreter to bypass suhosin
See https://suhosin.org/stories/index.html for more information on this system.
2017-07-23 22:04:09 -07:00
Pearce Barry fb905c4bc7
Land #8754, fix some module documentation 2017-07-23 11:44:07 -05:00
Pearce Barry a140209c36
Land #8739, cleanup windows_autologin 2017-07-23 11:35:34 -05:00
Brent Cook 7c55cdc1c8 fix some module documentation
3 modules got documentation landed in the wrong spot. This also fixes a few
typos and improves formatting.
2017-07-23 07:46:52 -07:00
Brent Cook df22e098ed
Land #8695, Fix #8675, Add Cache-Control header, also meta tag for BAP2 2017-07-23 07:17:45 -07:00
Brent Cook 8c8dbc6d38
Land #8692, Fix #8685, Check nil condition for #wordlist_file in jtr modules 2017-07-23 07:12:21 -07:00
Brent Cook 2c3712479d
Land #8750, openssl_heartbleed fix, use ruby 2.4 OpenSSL::PKey::RSA API 2017-07-23 06:58:40 -07:00
Brent Cook b75530b978 Fix an issue where 'sleep' with Python Meterpreter appears to fail. 2017-07-23 05:38:06 -07:00
Brent Cook 399557124f
update payload cached sizes 2017-07-23 05:28:32 -07:00
Brendan Coles 109fd8b6d3 Add Asterisk Gather Credentials auxiliary module 2017-07-23 09:55:12 +00:00
Christian Mehlmauer b4bb384577
add @pbarry-r7 's feedback 2017-07-22 18:54:36 +02:00
g0tmi1k e710701416 Made msftidy.rb happy
...untested with the set-cookie 'fix'
2017-07-21 19:55:26 -07:00
Pearce Barry 6bb745744b
Land #8471, Add VICIdial user_authorization Unauthenticated Command Execution module 2017-07-21 15:57:08 -05:00
Evgeny Naumov 5d04775f5e use 2.4 OpenSSL::PKey::RSA api 2017-07-21 16:28:07 -04:00
g0tmi1k 524373bb48 OCD - Removed un-needed full stop 2017-07-21 07:41:51 -07:00
g0tmi1k 772bec23a1 Fix various typos 2017-07-21 07:40:08 -07:00
M4P0 c187f709dc Update geutebrueck_gcore_x64_rce_bo.rb
Review changes with msftidy.
2017-07-21 11:37:12 +02:00
Brent Cook 510ff888fd
Land #8439, native OSX meterpreter support 2017-07-20 22:01:49 -05:00
thesubtlety 7d033688ce clean up formatting 2017-07-19 17:27:44 -04:00
bwatters-r7 ffad0d1bbf
Land #8559, Ipfire oinkcode exec 2017-07-19 14:31:18 -05:00
bwatters-r7 116a838cb0 Version check update and stylistic fix 2017-07-19 13:26:40 -05:00
g0tmi1k 3f6925196b OCD - store_loot & print_good 2017-07-19 13:02:49 +01:00
g0tmi1k ef826b3f2c OCD - print_good & print_error 2017-07-19 12:48:52 +01:00
g0tmi1k 0f453c602e Even more print_status -> print_good 2017-07-19 11:46:39 +01:00
g0tmi1k df9b642746 More print_status -> print_good 2017-07-19 11:39:15 +01:00
g0tmi1k b8d80d87f1 Remove last newline after class - Make @wvu-r7 happy 2017-07-19 11:19:49 +01:00
g0tmi1k 3d4feffc62 OCD - Spaces & headings 2017-07-19 11:04:15 +01:00
Ricardo Almeida f3f96babb9
Orientdb 2.2.x RCE - Changed the java_craft_runtime_exec function; Tested the module against Win7-Pro-x64 with OrientDB v2.2.20 with StagerCmd flavors vbs and certutil with success 2017-07-19 10:46:10 +01:00
g0tmi1k a008f8e795 BruteForce - > Brute Force 2017-07-19 10:39:58 +01:00
thesubtlety 5d4105db33 minor fixes per rubocop 2017-07-18 22:36:45 -04:00
Christian Mehlmauer 0d3f5ae220
cleanup windows_autologin 2017-07-18 22:50:34 +02:00
Jon Hart 45f81f3c98
Squash some style issues 2017-07-18 12:45:02 -07:00
Brent Cook cc3168933f update mettle payloads, template generator 2017-07-18 13:13:38 -05:00
Ricardo Almeida 219987726f
Orientdb 2.2.x RCE - Changed the CmdStager flavor to VBS script 2017-07-18 17:18:14 +01:00
Ricardo Almeida 5ca523e2ce
Orientdb 2.2.x RCE - Add warning about windows 2017-07-18 17:11:54 +01:00
Ricardo Almeida af0a9c2f86
Orientdb 2.2.x RCE tidy stuff 2017-07-18 17:07:29 +01:00
Ricardo Almeida 99ba645034 Orientdb 2.2.x RCE 2017-07-18 16:53:44 +01:00
Brent Cook f5e76092d6 Merge branch 'master' into land-8439- 2017-07-18 08:25:18 -05:00
bwatters-r7 ba92d42b57 Updated version check per @bcoles 2017-07-17 15:52:50 -05:00
Jon Hart e93e524c3b
Merge branch 'upstream-master' into feature/rdp-scanner 2017-07-17 13:46:59 -07:00
Jon Hart 43e04c8894
Improve RDP probe packet 2017-07-17 13:14:47 -07:00
David Maloney 2a1c661c79
Land #8723, Razr Synapse local exploit
lands ZeroSteiner's Razr Synapse local priv esc module
2017-07-17 13:34:17 -05:00
tkmru 6c5d8279ca change to generate payload from metasm 2017-07-16 19:21:09 +09:00
Spencer McIntyre b4813ce2c7 Update the pre-exploit check conditions 2017-07-15 14:48:54 -04:00
Pearce Barry 9775df1f6e
Land #8586, Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit 2017-07-14 15:20:01 -05:00
David Maloney ee1c87b868
Land #8172, example modules
lands several example modules
2017-07-14 15:17:20 -05:00
Jon Hart e3e5c33b9b
WIP commit of RDP scanner 2017-07-14 13:02:43 -07:00
David Maloney 8f6cac9c37
Land #8652, rpc console write exploit
lands pr for the metasploit rpc console write exploit
2017-07-14 14:47:35 -05:00
David Maloney 0fde6c6b42
Land #8650, igss9 launch path
land pr to fix launch path in the igss9 exploit
2017-07-14 14:39:38 -05:00
Spencer McIntyre 833b2a67d4 Fix the architecture check for only x64 2017-07-14 07:06:54 -04:00
g0tmi1k 4720d1a31e OCD fixes - Spaces 2017-07-14 08:46:59 +01:00
g0tmi1k 9309115627 OCD - Banner clean up 2017-07-14 08:19:50 +01:00
g0tmi1k fd843f364b Removed extra lines 2017-07-14 08:17:16 +01:00
g0tmi1k a79692aac1 Typo 2017-07-14 08:16:30 +01:00
tkmru 5d45680bc1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x86_retry 2017-07-14 13:53:53 +09:00
tkmru f66021c8a2 update CachedSize 2017-07-14 13:53:43 +09:00
g0tmi1k 67310fa96c print_status -> print_good. [When it is successful, show it!] 2017-07-14 00:09:35 +01:00
g0tmi1k 424522147e OCD fixes - Start of *.rb files 2017-07-13 23:53:59 +01:00
bwatters-r7 de230478eb
Land #8566, Add ye olde NNTP Login Utility scanner module 2017-07-13 13:19:34 -05:00
Spencer McIntyre 5470670223 Change the hook for windows 10 compatibility 2017-07-13 11:49:06 -04:00
Jon Hart e52e9c147d
First commit for Cisco Smart Install Scanner 2017-07-12 19:12:06 -07:00
Pearce Barry 59de7d3635
Land #8671, Add a module for CVE-2017-7615 2017-07-12 14:58:02 -05:00
Pearce Barry 580219695a
Oof, missed the parens... 2017-07-12 13:52:59 -05:00
Pearce Barry aa22651340
Few style/spelling tweaks, nothing to see here... 2017-07-12 13:41:20 -05:00
James Barnett e43adf0223
Land #8710, explicitly use Rex::Encoder::XDR
The previous use of XDR in these modules allowed for namespace collisions
with similar gems.
2017-07-12 12:01:24 -05:00
Brent Cook 345407b0a4 Rex::Encoder::XDR conflicts with the XDR gem 2017-07-12 11:52:10 -05:00
Pearce Barry e69460a529
Land #8683, Remove duplicate setting of suhosin.simulation in php_cgi_arg_injection 2017-07-12 09:34:35 -05:00
h00die b7d082fe06
land #8679 update to credits for rfpwnon 2017-07-11 19:36:41 -04:00
William Webb aa0fca9dd1
Land #8631, Add railgun support to Python Meterpreter for the OSX
platform
2017-07-11 16:05:16 -05:00
RageLtMan 5473b2132d Implement :request_url for Msf HttpClient mixin
To round out implementation of a simple path for users to access
HttpClient like Open or Net::HTTP, create :request_url method which
takes a single URL parameter, uses :request_opts_from_url to build
the request configuration for Rex::Proto::Http::Client, executes
a GET request with it, and disconnects the client unless keepalive
is specified as the second parameter to :request_url.

Example usage of functionality is implemented in http_pdf_authors.
2017-07-11 16:07:13 -04:00
Adam Cammack 14b37c2101
Land #8691, Improve php reverse_tcp stager logic 2017-07-11 13:50:27 -05:00
Tim db8698e82b
Land #8655, add error handling to mipsle linux reverse tcp stager 2017-07-11 22:33:54 +08:00
Matt Robinson 55cbd9b6a9
Add headers to php_eval 2017-07-10 21:25:27 -04:00
David Maloney 6d7a066477
fixes oracle_hashdump and jtr_oracle_fast modules
fixes functionality in the oracle database hashdumper
and the oracle hash cracker modules
2017-07-10 16:57:57 -05:00
wchen-r7 50b1ec4044 Fix #8675, Add Cache-Control header, also meta tag for BAP2
Hopefully that browsers will respect this.

Fix #8675
2017-07-10 16:05:09 -05:00
Spencer McIntyre 53d5060fbd Add the LPE for CVE-2017-9769 2017-07-10 16:57:23 -04:00
wchen-r7 fe360e3e2a Fix #8685, Check nil condition for #wordlist_file in jtr modules
JTR modules should never assume there is always a database
connected while using #wordlist_file, considering a database is
an optional component for Framework.

Fix #8685
2017-07-10 11:18:20 -05:00
David Maloney 2ee6df66cf
Land #8514, wmi persistence module 2017-07-10 09:53:55 -05:00
NickTyrer f4c739c190 check if running as system 2017-07-10 10:05:57 +01:00
RageLtMan df697aa23c Implement HttpClient options generation from URL
To address the complexity which comes with the flexibility offered
by Rex::Proto::Http::Client and its Msf mixin descendant, a simple
process needs to be implemented for issuing a request using only
the URL string in order to provide ease of access to users who may
not have the time to study how these clients work in detail.

Implement :request_opts_from_url in Msf's HttpClient mixin such as
to extract the options required for :send_request_* from a URL
string passed into the method. This approach reduces HTTP requests
in the mixin to `send_request_raw(request_opts_from_url(url))` when
`url` is just a string.

Implement this approach in the http_pdf_authors gather module to
further reduce infrastructure complexity around the simple need to
acquire PDF files via HTTP/S.

Testing:
  Local to this module only, and in Pry of course. Seems to work...
2017-07-10 04:19:26 -04:00
RageLtMan 997150a215 Use Msf::Exploit::Remote::HttpClient
Replace Net::HTTP usage with proper Rex::Proto::Http::Client via
the Msf module mixin. Generate the request opts from the same URI
parsed URL string, execute a one shot GET request, disconencting
after reciept of results. Depending on the response code, either
pass back an empty StringIO or if its 200, a StringIO(res.body).
2017-07-10 03:37:41 -04:00
Dave Farrow 653890f9d4
fixed unit tests 2017-07-09 16:08:32 -07:00
Emanuel Bronshtein df024bb594 Remove duplicate setting of suhosin.simulation 2017-07-10 00:46:05 +03:00
jvoisin 263a42707e Fix a typo 2017-07-09 16:34:51 +02:00
jvoisin 8510cda5ae Implement @bcoles advices 2017-07-09 16:34:10 +02:00
Tim 75c571de83
Land #8653, add error handling to mipsbe linux reverse tcp stager 2017-07-09 19:36:15 +08:00
Tim cd0c2c213f pedantic tweaks 2017-07-09 19:36:03 +08:00
Corey Harding 50339289a7 Update rfpwnon.rb 2017-07-09 05:12:35 -04:00
jvoisin f10cf75ae0 Fix some stuff 2017-07-09 10:45:15 +02:00
jvoisin 5fe805aaca s/\t/ /g 2017-07-09 02:29:37 +02:00
jvoisin 968fa0c244 Add even more references 2017-07-09 02:27:54 +02:00
jvoisin ae930ae7c1 Add a module for CVE-2017-7615 2017-07-09 02:14:21 +02:00
Brendan Coles 8e2ff7a4c5 Add command stager and code cleanup 2017-07-07 16:54:56 -05:00
William Vu b3be89b508
Land #8663, typo fix for zoomeye_search 2017-07-07 16:53:48 -05:00
dmohanty-r7 8f464e17a1
Land #8658, Add Gather PDF Authors auxiliary module 2017-07-07 16:20:29 -05:00
MD5HashBrowns e5244f3113 Fixed typo 2017-07-07 15:26:37 -04:00
Brendan Coles 683ce10167 Add URL option 2017-07-07 18:42:00 +00:00
Brent Cook 3bda361544 add old hackingteam leak name 2017-07-07 00:52:11 -05:00
Brent Cook f4820d24fb add a few more AKA references 2017-07-06 22:43:46 -05:00
Brendan Coles d864ce16b1 Add Gather PDF Authors auxiliary module 2017-07-06 23:29:17 +00:00
William Vu f45facdf6e Fix HTTP verb in jboss_vulnscan print_status 2017-07-06 14:55:33 -05:00
tkmru a4a959266b update cachedSize 2017-07-06 17:43:27 +09:00
tkmru ed0b5a843d add error handling bin to reverse_tcp on mipsbe 2017-07-06 17:34:22 +09:00
tkmru 2d8a71de6f tab to space 2017-07-05 18:22:06 +09:00
tkmru 615eb53796 update cachedSize 2017-07-05 18:05:38 +09:00
tkmru d02d6826a9 fix reverse tcp stager src 2017-07-05 17:56:59 +09:00
tkmru d1f08a80bd add error handling to reverse_tcp on mipsbe 2017-07-05 17:50:49 +09:00
Brendan Coles baff473cae Add Metasploit RPC Console Command Execution module 2017-07-05 08:48:35 +00:00
syndrome5 45af651993 Fix issue generate/launch path
Generate file in C:\ but try to launch it in Documents and Settings\All Users\Application Data\7T\
PoC with windows/meterpreter/reverse_tcp
2017-07-04 22:14:32 +02:00
dmohanty-r7 aa387e96a7
Land #8577, Add SurgeNews User Credentials scanner 2017-07-03 10:14:03 -05:00
Roman 38b1e56bbd negated wording regarding legacy auth
According to the docs this variable means the opposite:
https://dev.mysql.com/doc/refman/5.5/en/mysql-command-options.html#option_mysql_secure-auth
OFF     ->      insecure
ON      ->      secure
2017-07-03 14:29:07 +02:00
Brendan Coles dff96ce9a0 Re-order includes with Auxiliary::Scanner last 2017-07-01 08:30:17 +00:00
Pearce Barry a2602bf514
Land #8600, Add GoAutoDial 3.3 RCE Command Injection / SQL injection module 2017-06-30 17:32:51 -05:00
Pearce Barry dd530a2953
Minor indentation tweaks. 2017-06-30 17:29:43 -05:00
Pearce Barry 3d4d03c9b4
Land #8575, Cerberus Helpdesk hash disclosure 2017-06-30 16:02:53 -05:00
Brent Cook 40f0d36f6b
Land #8615, add @artkond's DoS module for Cisco CVE-2017-3881 2017-06-30 11:17:09 -04:00
NickTyrer 994f00622f tidy module output 2017-06-29 16:12:23 +01:00
William Vu 7e1b50ab3b
Land #8629, AKA (also known as) module reference 2017-06-28 19:15:45 -05:00
Brent Cook aa8c580aba updates 2017-06-28 20:14:38 -04:00
Brent Cook d20036e0fb revise spelling, add heartbleed and tidy checks 2017-06-28 18:50:20 -04:00
William Vu 43d8c4c5e7
Land #8519, Apache ActiveMQ file upload exploit 2017-06-28 17:19:39 -05:00